Deprecation Notice to Cloud Defend Rules (#4520)

* Deprecation Notice to Cloud Defend Rules

* Udpate names in investigation guide

* Adding deprecation note under Setup field

* reverting back to setup field name

---------

Co-authored-by: Isai <[email protected]>

Author: shashank-elastic

rules/integrations/cloud_defend/container_workload_protection.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/04/05"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,12 +16,14 @@ index = ["logs-cloud_defend.alerts-*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 10000
-name = "Container Workload Protection"
+name = "Deprecated - Container Workload Protection"
 risk_score = 47
 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512"
 rule_name_override = "message"
 setup = """## Setup
 
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". 
+
 This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
 **IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
@@ -42,7 +44,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Container Workload Protection
+### Investigating Deprecated - Container Workload Protection
 
 Container Workload Protection is crucial for securing containerized environments by monitoring and defending against threats. Adversaries may exploit vulnerabilities in container orchestration or escape isolation to access host systems. The detection rule leverages alerts from cloud defense modules, focusing on suspicious activities within container domains, enabling timely triage and investigation of potential security incidents.
 

rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/28"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "AWS Credentials Searched For Inside A Container"
+name = "Deprecated - AWS Credentials Searched For Inside A Container"
 references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"]
 risk_score = 47
 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
@@ -40,12 +40,16 @@ process where event.module == "cloud_defend" and
 (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and
 process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*")
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS Credentials Searched For Inside A Container
+### Investigating Deprecated - AWS Credentials Searched For Inside A Container
 
 Containers often house applications that interact with AWS services, necessitating the storage of AWS credentials. Adversaries may exploit this by using search utilities to locate these credentials, potentially leading to unauthorized access. The detection rule identifies suspicious use of search tools within containers, flagging attempts to locate AWS credentials by monitoring specific process names and arguments, thus helping to prevent credential theft and subsequent attacks.
 

rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Sensitive Files Compression Inside A Container"
+name = "Deprecated - Sensitive Files Compression Inside A Container"
 risk_score = 47
 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1"
 severity = "medium"
@@ -65,12 +65,16 @@ and process.args: (
 "/etc/shadow",
 "/etc/gshadow")
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Sensitive Files Compression Inside A Container
+### Investigating Deprecated - Sensitive Files Compression Inside A Container
 
 Containers are lightweight, portable environments used to run applications consistently across different systems. Adversaries may exploit compression utilities within containers to gather and exfiltrate sensitive files, such as credentials and configuration files. The detection rule identifies suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts.
 

rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Sensitive Keys Or Passwords Searched For Inside A Container"
+name = "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container"
 references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"]
 risk_score = 47
 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a"
@@ -47,12 +47,16 @@ or
     and process.args : ("*id_rsa*", "*id_dsa*")
 ))
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Sensitive Keys Or Passwords Searched For Inside A Container
+### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container
 
 Containers encapsulate applications, providing isolated environments. Adversaries may exploit search utilities like grep or find to locate sensitive credentials within containers, potentially leading to unauthorized access or container escape. The detection rule identifies suspicious searches for private keys or passwords, flagging potential credential access attempts by monitoring process activities and arguments.
 

rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/06"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
+name = "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container"
 references = [
     "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
     "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/",
@@ -34,12 +34,16 @@ type = "eql"
 query = '''
 file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container
+### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container
 
 The dynamic linker in Linux loads necessary libraries for programs at runtime, with the `ld.so.preload` file specifying libraries to load first. Adversaries exploit this by redirecting it to malicious libraries, gaining unauthorized access and evading detection. The detection rule identifies suspicious modifications to this file within containers, signaling potential hijacking attempts.
 

rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Suspicious Network Tool Launched Inside A Container"
+name = "Deprecated - Suspicious Network Tool Launched Inside A Container"
 risk_score = 47
 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50"
 severity = "medium"
@@ -49,12 +49,16 @@ process where container.id: "*" and event.type== "start" and
 (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab"))
 )
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Suspicious Network Tool Launched Inside A Container
+### Investigating Deprecated - Suspicious Network Tool Launched Inside A Container
 
 Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries exploit network tools within containers for reconnaissance or lateral movement, leveraging utilities like `nc` or `nmap` to map networks or intercept traffic. The detection rule identifies these tools' execution by monitoring process starts and arguments, flagging potential misuse for further investigation.
 

rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic Licence v2"
-name = "Container Management Utility Run Inside A Container"
+name = "Deprecated - Container Management Utility Run Inside A Container"
 risk_score = 21
 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
 severity = "low"
@@ -43,12 +43,16 @@ query = '''
 process where container.id: "*" and event.type== "start"
   and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Container Management Utility Run Inside A Container
+### Investigating Deprecated - Container Management Utility Run Inside A Container
 
 Container management utilities like Docker and Kubernetes are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
 

rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "File Made Executable via Chmod Inside A Container"
+name = "Deprecated - File Made Executable via Chmod Inside A Container"
 risk_score = 47
 rule_id = "ec604672-bed9-43e1-8871-cf591c052550"
 severity = "medium"
@@ -39,12 +39,16 @@ file where container.id: "*" and event.type in ("change", "creation") and
 (process.name : "chmod" or process.args : "chmod") and
 process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x"
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating File Made Executable via Chmod Inside A Container
+### Investigating Deprecated - File Made Executable via Chmod Inside A Container
 
 Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers.
 

rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/06"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ index = ["logs-cloud_defend*"]
 interval = "5m"
 language = "eql"
 license = "Elastic License v2"
-name = "Interactive Exec Command Launched Against A Running Container"
+name = "Deprecated - Interactive Exec Command Launched Against A Running Container"
 references = [
     "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
     "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
@@ -59,12 +59,16 @@ process.entry_leader.same_as_process== true and
 /* interactive process */
 process.interactive == true
 '''
-note = """## Triage and analysis
+note = """## Setup
+
+This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container".
+
+## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Interactive Exec Command Launched Against A Running Container
+### Investigating Deprecated - Interactive Exec Command Launched Against A Running Container
 
 In containerized environments, the 'exec' command is used to run processes inside a running container, often for debugging or administrative tasks. Adversaries may exploit this to gain shell access, potentially leading to further compromise or container escape. The detection rule identifies such activities by monitoring for interactive 'exec' sessions, focusing on initial processes within containers, and flagging high-risk interactions.